What's new

Port Mirroring question (iptables -tee)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

orutra

New Around Here
I have been doing hard testing on port mirroring wit iptables -tee. My starting point has been the related topics in this forum (thanks!). My intention is to capture (mirror) all traffic from one host (RPi 192.168.1.99) to internet to a testing box (ubuntu 192.168.1.100).

Usually this is done with iptables -tee command affecting the 'mangle' table for PREROUTING and POSTROUTING chains, to clone incoming and outgoing packets.
iptables -t mangle -A PREROUTING -j TEE --gateway 192.168.1.100
iptables -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.100

In my testing, I have discovered that the iptables rules must be set carefully, in order to avoid duplicating packets (if we don't specify source/destination ip's, the packets from LAN to internet will be cloned by both PRE and POSTROUTING rules, and since both have the same source ip (192.168.1.99 in my test) there are DUP packets in capture (the answers in this forum are correct, because they specify src ip address in PRE- rule and dst ip in POST- rule, so, no DUP's).

My problem is that, when performing the capture in the gateway box, only the initial 3-way handshake TCP connection is captured. Later, I have learnt that this is because conntrack is in action.

I have tested doing the capture in mangle and raw tables in PREROUTING, but the behavior is the same. I had expected, that clonning the packets at raw table of prerouting, all traffic would be cloned, but is not.

My question is: Is this behavior what is being expected?, that is, Conntrack takes precedence over iptables, and once a conntrack is saved, no traffic transverses iptables? If so, how can clone all traffic to the testing box?

I attach a image capture from the testing box of a web request from the RPi to a web page, with the following iptables rules, note that all traffic is SYN /ACK (also traffic to google is captured, due to using Chromium, but it is also SYN /ACK)
iptables -t raw -A PREROUTING -s 192.168.1.99 -j TEE --gateway 192.168.1.100
iptables -t raw -A PREROUTING -s 217.160.0.65 -j TEE --gateway 192.168.1.100


--->PREROUTING------------------>[ROUTE]--->FWD---------->POSTROUTING-------------->
1st contrack or raw??
2nd contrack or raw??
3rd mangle
4th nat

Thanks!
upload_2020-1-10_12-31-14.png
 
Disable hardware acceleration and you should see the packets. If you still have problems I suggest you try using these commands with the Wireshark filter set to ip.addr == 217.160.0.65
Code:
modprobe xt_TEE
iptables -t mangle -A PREROUTING  -s 192.168.1.99 -j TEE --gateway 192.168.1.100
iptables -t mangle -A POSTROUTING -d 192.168.1.99 -j TEE --gateway 192.168.1.100
 
Thank you so much!!!!

Disabling hardware acceleration (NAT acceleration - CTF) did the trick!!. All packets are cloned and captured by wireshark.

I should have read something about HW acceleration, now, that I have done, everything is clear. Thank you very much for your help and support.

I attach the capture with exactly the same test that I made in my previous post (I have hidden my public ip, since I am capturing the webserver responses at prerrouting level)

upload_2020-1-11_18-55-21.png
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top